0

I'm trying to secure my firebase functions by using authorization.
I wrote a very simple callable function

exports.hey= functions.https.onCall((data, context) => {

return {hello:"world"};
});

then i deployed to GC and add the permission invoker to allAuthenticatedUsers .
then i went to my app and wrote some test code

FirebaseFunctions.getInstance().getHttpsCallable("hey").call(null).addOnCompleteListener(task -> {
      if (task.isSuccessful()) 
         System.out.println(task.getResult().getData());
     else
          FirebaseCrashlytics.getInstance().recordException(task.getException());
        });

This code runs after user authenticateFirebaseAuth.getInstance().signInWithCustomToken(); (I've my own authentication system it works I can see the authenticated user in firebase auth dashboard along with last login the user is able to read database) but the function call always returns http 403

I know that within the function i can use the context to check the auth field and verify if user is authenticated, but what is the point of the permissioning system at all in the GC? if at the end we always need to check the context.auth am i missing something?

W/System.err: com.google.firebase.functions.FirebaseFunctionsException: UNAUTHENTICATED
Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
Rafael Lima
  • 3,079
  • 3
  • 41
  • 105

1 Answers1

1

If the ID token passed to a Cloud Function represents a Google account it works, otherwise, it doesn't.

An authenticated client request for a Google Cloud Functions must have an Authorization: Bearer ID_TOKEN header or ?access_token=ID_TOKEN.

The Authentication header is set with the user’s ID token which is used as a context parameter. A Firebase user’s ID token doesn’t always represent a Google user which makes it incompatible with allAuthenticatedUsers. Because of this you check context.auth. Otherwise you may try with “allUsers” which should work.

You can see this stackoverflow answer for more information.

Zeenath S N
  • 1,100
  • 2
  • 8